UEFI Bootkit Successfully Hits Windows 11 BlackLotus

d3athf1sh

[H]ard|Gawd
Joined
Dec 16, 2015
Messages
1,216
"BlackLotus has become the first publicly known malware capable of bypassing secure boot defenses." (and therefore also tpm) guess it was only a matter of time?
https://thehackernews.com/2023/03/blacklotus-becomes-first-uefi-bootkit.html

BlackLotus malware
ESET researchers discovered the first components of BlackLotus back in late 2022, when they noticed "the BlackLotus user-mode component" in Telemetry. Assessment led to the discovered of six BlackLotus installers and the realization that BlackLotus was no ordinary malware.

The researchers made the following discoveries about the malware:
  • BlackLotus was able to run on fully patched Windows 11 systems with UEFI Secure Boot enabled.
  • The malware exploits a year-old vulnerability, CVE-2022-21894, which is a Secure Boot Security Feature bypass vulnerability. Microsoft did fix the issue in the January 2022 update, but exploitation is still possible, "as the affected, validly signed binaries have still not been added to the UEFI revocation list".
  • The malware can disable operating system security features, including BitLocker, Windows Defender and HVCI (Hypervisor-Protected Code Integrity).
  • BlackLotus deploys a kernel driver, which protects the bootkit, and an HTTP downloader, which may load additional payloads and communicates with command and control.
  • The earliest mention of BlackLotus dates back to October 6, 2022. The bootkit was advertised on an underground forum.
  • Some of the BlackLotus installers skip the bootkit installations if they detect certain locales on the device.
ESET's analysis of BlackLotus is detailed and very technical. Interested users should check out the blog post for the full details.

https://www.ghacks.net/2023/03/02/w...-blacklotus-uefi-bootkit-defeats-secure-boot/
 
1678279493912.png
 
???
modus operandi

noun​

  1. A method of operating or functioning.

doesn't mean it's not a problem. copied this from pc perspective (https://pcper.com/2023/03/blacklotus-eats-secure-boot-for-breakfast-and-likes-it/)

"That is the real use of BlackLotus, the ability to render a machine permanently vulnerable to other malware attacks by granting admin access to processes in order to leverage any other system vulnerabilities present on your system. >>There is nothing you can do to remove it if you have been infected, short of tossing your motherboard.<< However, keeping your system up to date with patches will limit secondary infections which will protect against the secondary infections which BlackLotus tries to load onto your system.

If you want to terrify yourself, read the full story at Ars Technica where they delve into the technical aspects of this fresh hell.

i mean yeah they said they haven't really seen it do damage yet, but it looks like the guy's selling it as an exploit to people that would want to do something nefarious. and i just thought it was significant being the first bit of malware to break secure boot? i'm sure once people figure out how it's done, there will be more.
 
  • Like
Reactions: erek
like this
???
modus operandi

noun​

  1. A method of operating or functioning.

doesn't mean it's not a problem. copied this from pc perspective (https://pcper.com/2023/03/blacklotus-eats-secure-boot-for-breakfast-and-likes-it/)

"That is the real use of BlackLotus, the ability to render a machine permanently vulnerable to other malware attacks by granting admin access to processes in order to leverage any other system vulnerabilities present on your system. >>There is nothing you can do to remove it if you have been infected, short of tossing your motherboard.<< However, keeping your system up to date with patches will limit secondary infections which will protect against the secondary infections which BlackLotus tries to load onto your system.

If you want to terrify yourself, read the full story at Ars Technica where they delve into the technical aspects of this fresh hell.

i mean yeah they said they haven't really seen it do damage yet, but it looks like the guy's selling it as an exploit to people that would want to do something nefarious. and i just thought it was significant being the first bit of malware to break secure boot? i'm sure once people figure out how it's done, there will be more.
My impression from the articles I read say that the installation needs to be initiated by the end user, whether it's a payload included in a third-party download or not. In other words: Don't download software and drivers from third-party sites. Go directly to the source.
 
My impression from the articles I read say that the installation needs to be initiated by the end user, whether it's a payload included in a third-party download or not. In other words: Don't download software and drivers from third-party sites. Go directly to the source.
From other forums, it seems to be included in a lot of hacks for games like Escape from Tarkov, Warthunder, and other popular multi-player games in Europe. Don't cheat.
 
Assuming BIOS flashing was disabled and BIOS is not compromised (appears to not be from the article), it appears you could recover the hardware by switching to legacy BIOS boot and deleting all secure boot keys. However, the entire contents of the disk/OS I would not trust. Write /dev/urandom to it from a safe machine. And perhaps flash the BIOS afterwards to the latest version for good measure.
 
All y’all posting about how we should switch to Linux because of this seem to have missed the earlier news of the Chaos variant of this which affects all known Linux versions in the exact same way, on ARM and PowerPC distributions as well, including embedded.
 
All y’all posting about how we should switch to Linux because of this seem to have missed the earlier news of the Chaos variant of this which affects all known Linux versions in the exact same way, on ARM and PowerPC distributions as well, including embedded.
You're missing the point in that Microsoft who is pushing for Secure Boot and TPM 2.0 for better security has already failed. While Linux is working on actually making the OS secure and not depending on hardware gimmicks like Microsoft did, which will almost certainly be used as a form of DRM instead of securing your PC. The only way BlackLotus will work on Linux is through administration privileges. Where as many Windows installs are running as local admin accounts, because it would be annoying to do so otherwise.
g6mctxynaqma1.jpg
 
All y’all posting about how we should switch to Linux because of this seem to have missed the earlier news of the Chaos variant of this which affects all known Linux versions in the exact same way, on ARM and PowerPC distributions as well, including embedded.
I don't personally care about Windows regarding this except for the fact that MS is making TPM a requirement to use the OS. And the Windows zealots going on about how it's somehow a good thing but can't make the case why it's a good thing. TPM was a horrible idea when it was first proposed and it's still a horrible idea now. From a security standpoint it's terrible because it's a single point of failure which leads to many security problems when, not if, it's compromised. Since it's a single attack vector it was going to be focused on to break it.

TPM, like Secure Boot, is only for the benefit of those who would control the hardware you own. And as a single point of failure it's also for the benefit of those who would compromise it.
 
You're missing the point in that Microsoft who is pushing for Secure Boot and TPM 2.0 for better security has already failed. While Linux is working on actually making the OS secure and not depending on hardware gimmicks like Microsoft did, which will almost certainly be used as a form of DRM instead of securing your PC. The only way BlackLotus will work on Linux is through administration privileges. Where as many Windows installs are running as local admin accounts, because it would be annoying to do so otherwise.
You're not permanently elevated in Windows, not that it matters at that point - if the exploit is successful, it's probably already loaded a kernel mode driver before you've even logged in. You're doomed regardless of permissions.

Same thing in Linux. If this thing is running in Kernel mode, all bets are off as no protection can be trusted at that point.

edit: Although UAC seems to have an obnoxious amount of bypasses, in which case you're at the mercy of Windows Defender or whatever you're using catching whatever before it executes. The auto elevate feature of UAC is insanely fucking terrible and leads to all kinds of ridiculous shit that should never be possible. Some built in tools will silently start elevated, and you can do dumb shit like managing to open PowerShell from within them. It'll launch under the same context and now you have a shell that's elevated without ever seeing a UAC prompt.

You need to turn up UAC to its highest level to avoid this. Or you can strip yourself out of the admin group and create another user, but then any time you hit something that needs admin rights, you'll need to shift-right click and run it as your admin user... and then deal with the fact that paths might be fucked up because it's running under a completely different user context.
 
Last edited:
All y’all posting about how we should switch to Linux because of this seem to have missed the earlier news of the Chaos variant of this which affects all known Linux versions in the exact same way, on ARM and PowerPC distributions as well, including embedded.
What is the “Chaos” variant? I also highly doubt powerpc is affected at all since no powerpc platform even supports, let alone uses, UEFI to provide boot services.
 
What is the “Chaos” variant? I also highly doubt powerpc is affected at all since no powerpc platform even supports, let alone uses, UEFI to provide boot services.
https://www.bleepingcomputer.com/ne...s-windows-linux-devices-for-ddos-attacks/amp/

https://arstechnica.com/information...ed-hundreds-of-linux-and-windows-devices/amp/

The attack vector is not limited to UEFI or TPM, that just gets clicks.

malware can also infect various architectures, including x86, x86-64, AMD64, MIPS, MIPS64, ARMv5-ARMv8, AArch64, and PowerPC, used by a wide range of devices from small office/home office routers and enterprise servers.

"The potency of the Chaos malware stems from a few factors," Black Lotus Labs researchers wrote in a Wednesday morning blog post. "First, it is designed to work across several architectures, including: ARM, Intel (i386), MIPS and PowerPC—in addition to both Windows and Linux operating systems. Second, unlike largescale ransomware distribution botnets like Emotet that leverage spam to spread and grow, Chaos propagates through known CVEs and brute forced as well as stolen SSH keys."

BlackLotus is another variant of that guy there.
 
Last edited:
https://www.bleepingcomputer.com/ne...s-windows-linux-devices-for-ddos-attacks/amp/

https://arstechnica.com/information...ed-hundreds-of-linux-and-windows-devices/amp/

The attack vector is not limited to UEFI or TPM, that just gets clicks.

malware can also infect various architectures, including x86, x86-64, AMD64, MIPS, MIPS64, ARMv5-ARMv8, AArch64, and PowerPC, used by a wide range of devices from small office/home office routers and enterprise servers.

"The potency of the Chaos malware stems from a few factors," Black Lotus Labs researchers wrote in a Wednesday morning blog post. "First, it is designed to work across several architectures, including: ARM, Intel (i386), MIPS and PowerPC—in addition to both Windows and Linux operating systems. Second, unlike largescale ransomware distribution botnets like Emotet that leverage spam to spread and grow, Chaos propagates through known CVEs and brute forced as well as stolen SSH keys."

BlackLotus is another variant of that guy there.
You’re confusing things here - one is a UEFI bootkit that can amongst other things insert malware and one is the actual malware. The UEFI bootkit will absolutely not work on any modern (or old afaik) PowerPC machine because there is no UEFI. The article is correct that there may be other vulnerabilities/CVEs in older/unpatched versions of PowerPC boot firmware/loaders (OPAL, skiboot, petitboot, etc) but as far as hijacking Secure Boot on powerpc it is literally impossible to do with a UEFI bootkit.

The quote about malware’s ability to infect other architectures is basically a nothing burger in terms of novelty - especially since it’s written in golang - that’s literally just a compile target. We’re not talking about (micro)arch specific exploits here like Spectre/Meltdown and friends.
 
You're not permanently elevated in Windows, not that it matters at that point - if the exploit is successful, it's probably already loaded a kernel mode driver before you've even logged in. You're doomed regardless of permissions.
It need to gain privilege to install itself in the first place.

You're missing the point in that Microsoft who is pushing for Secure Boot and TPM 2.0 for better security has already failed.
Not sure about the already part, it is impressive that it took a whole 12 years to happen, no ? Next one will maybe be 50 years good.

Where as many Windows installs are running as local admin accounts, because it would be annoying to do so otherwise.
Running has a admin account is far to be enough. The attacker achieved to do what it wanted with elevated privileges already to install itself according to the article and others
 
Not sure about the already part, it is impressive that it took a whole 12 years to happen, no ? Next one will maybe be 50 years good.
Depends on how you look at it. Considering that nobody used TPM 2.0 until Windows 11 was released which required it, which was about October 2021. So Realistically it's been about a year and a half. Not just TPM 2.0 but Secure Boot as well. If you really REALLY want to be realistic about this, it was hacked a year later since Blacklotus was discovered in October 2022.
Running has a admin account is far to be enough. The attacker achieved to do what it wanted with elevated privileges already to install itself according to the article and others
From what I understand this is all designed to get into a Windows machine, and it uses Linux's Grub to do so. Considering how Windows and GNU/Linux handles elevated privileges, it's no wonder it's easy to social engineer this into a Windows machine. Unless things have changed with Windows 11 cause I haven't tried it yet, you just hit yes when the UAC pop up comes up and you're done. With Linux and Mac you need to enter your password which should be a rare event that needs caution because realistically no application needs root. So if you downloaded a browser addon and it needs root, you know somethings wrong.

The problem is that Windows idea of security is a yes or no answer. One that comes up for a lot of things you do in Windows, that has no business doing so. So 99 times out of 100, people will hit yes without reading and understanding what it's for.
d05b87ae-e71f-4065-8ea4-0959779c7a44?upload=true.png
 
Last edited:
Depends on how you look at it. Considering that nobody used TPM 2.0 until Windows 11 was released which required it which was about October 2021. So Realistically it's been about a year and a half. Not just TPM 2.0 but Secure Boot as well
That sound a fair enough way to look at it, if it is true that nothing of value used tpm in the field, was it not available on windows server and what not for all that time ?

So 99 times out of 100, people will hit yes without reading and understanding what it's for
A lot of those people would type sudo and entering their password without understanding what it is for following instruction if they were on Linux has well too.

Windows admin privilege is quite the mess, because like you said a lot of people end up on an admin account all day long, so it is made to not be really an admin account, folder does not really obey what you tell them necessarily and so on, but still the virus need to be placed on something that achieve for the person to say yes (a bit like achieving to put itself in a script that people will accept to type sudo and their password, which is quite common)
 
That sound a fair enough way to look at it, if it is true that nothing of value used tpm in the field, was it not available on windows server and what not for all that time ?
Probably was but nobody there is dumb enough to give elevated privileges let alone install or run something they found online.
A lot of those people would type sudo and entering their password without understanding what it is for following instruction if they were on Linux has well too.
If you're typing sudo, you're already beyond what most Windows users deal with on their machines.
Windows admin privilege is quite the mess, because like you said a lot of people end up on an admin account all day long, so it is made to not be really an admin account, folder does not really obey what you tell them necessarily and so on, but still the virus need to be placed on something that achieve for the person to say yes (a bit like achieving to put itself in a script that people will accept to type sudo and their password, which is quite common)
The main take away isn't how this malware gets access to your machine, but what it circumvented. This whole fiasco over Windows 11 requiring secure boot and TPM 2.0 which is still debated over today, has already been made useless. The whole point of secure boot and TPM 2.0 is that it offered an extra layer of security even when you do have elevated privileges. Malware still needs permission to screw up your machine, as it has always needed in the past. At this point Microsoft should remove these requirements from Windows 11 and take advantage of them if present. We'll need Secure Boot 3.0 and TPM 3.0 to fix this vulnerability, and I doubt Windows users want to be told they can't use Windows 11.1 without them.
 
Probably was but nobody there is dumb enough to give elevated privileges let alone install or run something they found online.

If you're typing sudo, you're already beyond what most Windows users deal with on their machines.

The main take away isn't how this malware gets access to your machine, but what it circumvented. This whole fiasco over Windows 11 requiring secure boot and TPM 2.0 which is still debated over today, has already been made useless. The whole point of secure boot and TPM 2.0 is that it offered an extra layer of security even when you do have elevated privileges. Malware still needs permission to screw up your machine, as it has always needed in the past. At this point Microsoft should remove these requirements from Windows 11 and take advantage of them if present. We'll need Secure Boot 3.0 and TPM 3.0 to fix this vulnerability, and I doubt Windows users want to be told they can't use Windows 11.1 without them.
I agree that TPM and secure boot CAN be useless, however it is something to have to work around. At least it's there, and can, should and will be improved - but just because it can be defeated doesn't mean it should be thrown out entirely. Everyone knows how easy it is to install W11 without TPM. If my stepfather can do it anyone can. I agree totally on SB 3.0 and TPM 3.0. Remember though it is an arms race and this defeat and improvement will happen over and over. Every system-OS is flawed. I think windows is targeted more often because it's easier to crack and has a larger user base. I just firewall the crap out of my network. implement a custom group policy and hope for the best on my windows box. My Linux servers stay up for months no worries really.
 
I agree that TPM and secure boot CAN be useless, however it is something to have to work around. At least it's there, and can, should and will be improved - but just because it can be defeated doesn't mean it should be thrown out entirely.
The reason it should be thrown out is because it's main feature is to be a type of DRM. Volarant already requires it, but can be simulated on a Windows 11 VM. You can't run Valorant on Windows 10 or Windows 11 without Secure boot and TPM2.0 enabled. It's just a DRM tool that like Denuvo has already failed.

Everyone knows how easy it is to install W11 without TPM. If my stepfather can do it anyone can.
Most people can barely change the date and time, let alone install Windows 11 without TPM 2.0. Getting Windows 11 on a USB and booting off of it to get to the Windows installer is an achievement for most people.
I agree totally on SB 3.0 and TPM 3.0. Remember though it is an arms race and this defeat and improvement will happen over and over. Every system-OS is flawed. I think windows is targeted more often because it's easier to crack and has a larger user base. I just firewall the crap out of my network. implement a custom group policy and hope for the best on my windows box. My Linux servers stay up for months no worries really.
If Secure Boot and TPM were treated like a CPU extension like AVX-512, then applications would use them if present. That's not the case with Windows 11, which makes it clear that you need these two features to even install Windows 11. What Microsoft did was create another Windows Vista or Windows 8, while depending upon a feature that's been around since 2014 and was likely bypassed long before Windows 11 was released, because no server admin is going to depend on Secure Boot and TPM 2.0 for security alone. So does Microsoft push for SB and TPM 3.0 and make that a requirement, or just use it if found present in the machine for future versions of Windows 11?
 
I agree that TPM and secure boot CAN be useless, however it is something to have to work around. At least it's there, and can, should and will be improved - but just because it can be defeated doesn't mean it should be thrown out entirely. Everyone knows how easy it is to install W11 without TPM. If my stepfather can do it anyone can. I agree totally on SB 3.0 and TPM 3.0. Remember though it is an arms race and this defeat and improvement will happen over and over. Every system-OS is flawed. I think windows is targeted more often because it's easier to crack and has a larger user base. I just firewall the crap out of my network. implement a custom group policy and hope for the best on my windows box. My Linux servers stay up for months no worries really.
It's not that they can be useless but are useless and were useless when they were created. In essence they are attempts at "hardware" security which is always going to be a failing proposition for the very reason you named: it's an arms race. Hardware based security is the worst you will ever find because it's generally outdated before the first units come off the production line and can't be updated the way software can be. In the case of Secure Boot and TPM they will always be major security threats because there will always be plenty of hardware which cannot be or never will be updated no matter how badly they are compromised.

I'm pretty sure secure boot requires a new BIOS to be updated and if a terrible security threat was found tomorrow, the vast majority of motherboards would never see a BIOS update to fix it. I don't how you could update TPM if it's even possible but the likelihood of seeing fixes for that are also extremely rare. Also keep in mind that you cannot get rid of either one since they are literally built into motherboards.

TPM and secure boot are liabilities at best and do nothing positive for the end user.
 
Back
Top